GHSA-72R4-9C5J-MJ57

Vulnerability from github – Published: 2026-06-27 00:12 – Updated: 2026-06-27 00:12
VLAI
Summary
pnpm: `patch-remove` could delete project-selected files outside the patches directory
Details

Summary

The patch-remove deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm.

A crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it.

Security boundary

  • Traversal and absolute paths that resolve outside the configured patches directory are rejected before deletion.
  • Parent directories are canonicalized before deletion, including the case where a nested symlink points outside and the final outside entry is itself dangling.
  • The complete batch is validated before any file is removed.
  • Component-aware predicates accept valid names beginning with .. while still rejecting parent traversal, Windows drive escapes, and UNC escapes.
  • Valid files and symlinked patch directories whose canonical targets remain below the lockfile directory continue to work.
  • A final symlink inside a valid patch directory is unlinked without following its target, including when the target is outside or dangling.

Exploit replay

Before the patch, a workspace patchedDependencies path that resolved outside the project caused pnpm patch-remove to delete the external sentinel. A second replay used a nested parent symlink and a dangling outside victim: realpath() returned ENOENT, yet the victim was still removed. With this patch, both paths are rejected and the outside entries remain intact.

Files changed

  • patching/commands/src/isSubdirectory.ts performs component-aware containment checks.
  • patching/commands/src/patchRemove.ts validates the full batch, canonicalizes parents, and unlinks final entries without following them.
  • patching/commands/test/{isSubdirectory,patchRemove}.test.ts covers traversal, nested symlinks, dangling victims, and valid removals.

Commands run

$ pnpm --filter @pnpm/patching.commands test test/isSubdirectory.test.ts test/patchRemove.test.ts
PASS: 11 tests across 2 suites
$ pnpm --filter @pnpm/patching.commands run compile
PASS
$ git diff --check
PASS

Validation

  • Focused handler and path-predicate suites: 11 passed across 2 suites.
  • Package-wide ESLint: passed.
  • Package TypeScript build: passed.
  • Commit hooks, Commitlint, and git diff --check: passed.
  • The broader integration harness was environment-blocked because it writes outside the available temporary root; focused handler tests used /private/tmp.

Patches

10.34.4: https://github.com/pnpm/pnpm/commit/352ae489f1b14ffdc19d2c6eacb1b06b098c2ddc 11.7.0: https://github.com/pnpm/pnpm/commit/612a2e6a7333f2b061f452a21b6e62c1c161747f

Compatibility

Missing patch files remain no-ops. Valid symlinked patch directories continue to work when their canonical target stays inside the lockfile directory, and final symlinks are removed without touching their targets. patch-remove is not yet in pacquet's command surface, so no Rust-side parity change is required.

Remaining risk

Portable Node APIs do not expose directory-fd-relative unlinkat(). A local attacker who can replace an already validated parent directory before the unlink may still win a time-of-check/time-of-use race. The reproduced repository-controlled traversal and symlink paths do not require that concurrent capability and are blocked by this patch.


Written by an agent (Codex, GPT-5).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.34.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-27T00:12:39Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `patch-remove` deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm.\n\nA crafted patch entry could resolve outside the configured patches directory and cause `pnpm patch-remove` to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it.\n\n## Security boundary\n\n- Traversal and absolute paths that resolve outside the configured patches directory are rejected before deletion.\n- Parent directories are canonicalized before deletion, including the case where a nested symlink points outside and the final outside entry is itself dangling.\n- The complete batch is validated before any file is removed.\n- Component-aware predicates accept valid names beginning with `..` while still rejecting parent traversal, Windows drive escapes, and UNC escapes.\n- Valid files and symlinked patch directories whose canonical targets remain below the lockfile directory continue to work.\n- A final symlink inside a valid patch directory is unlinked without following its target, including when the target is outside or dangling.\n\n## Exploit replay\n\nBefore the patch, a workspace `patchedDependencies` path that resolved outside the project caused `pnpm patch-remove` to delete the external sentinel. A second replay used a nested parent symlink and a dangling outside victim: `realpath()` returned `ENOENT`, yet the victim was still removed. With this patch, both paths are rejected and the outside entries remain intact.\n\n## Files changed\n\n- `patching/commands/src/isSubdirectory.ts` performs component-aware containment checks.\n- `patching/commands/src/patchRemove.ts` validates the full batch, canonicalizes parents, and unlinks final entries without following them.\n- `patching/commands/test/{isSubdirectory,patchRemove}.test.ts` covers traversal, nested symlinks, dangling victims, and valid removals.\n\n## Commands run\n\n```text\n$ pnpm --filter @pnpm/patching.commands test test/isSubdirectory.test.ts test/patchRemove.test.ts\nPASS: 11 tests across 2 suites\n$ pnpm --filter @pnpm/patching.commands run compile\nPASS\n$ git diff --check\nPASS\n```\n\n## Validation\n\n- Focused handler and path-predicate suites: 11 passed across 2 suites.\n- Package-wide ESLint: passed.\n- Package TypeScript build: passed.\n- Commit hooks, Commitlint, and `git diff --check`: passed.\n- The broader integration harness was environment-blocked because it writes outside the available temporary root; focused handler tests used `/private/tmp`.\n\n## Patches\n\n`10.34.4`: https://github.com/pnpm/pnpm/commit/352ae489f1b14ffdc19d2c6eacb1b06b098c2ddc\n`11.7.0`: https://github.com/pnpm/pnpm/commit/612a2e6a7333f2b061f452a21b6e62c1c161747f\n\n## Compatibility\n\nMissing patch files remain no-ops. Valid symlinked patch directories continue to work when their canonical target stays inside the lockfile directory, and final symlinks are removed without touching their targets. `patch-remove` is not yet in pacquet\u0027s command surface, so no Rust-side parity change is required.\n\n## Remaining risk\n\nPortable Node APIs do not expose directory-fd-relative `unlinkat()`. A local attacker who can replace an already validated parent directory before the unlink may still win a time-of-check/time-of-use race. The reproduced repository-controlled traversal and symlink paths do not require that concurrent capability and are blocked by this patch.\n\n---\nWritten by an agent (Codex, GPT-5).",
  "id": "GHSA-72r4-9c5j-mj57",
  "modified": "2026-06-27T00:12:39Z",
  "published": "2026-06-27T00:12:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-72r4-9c5j-mj57"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/commit/612a2e6a7333f2b061f452a21b6e62c1c161747f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pnpm/pnpm"
    },
    {
      "type": "WEB",
      "url": "http://github.com/pnpm/pnpm/commit/352ae489f1b14ffdc19d2c6eacb1b06b098c2ddc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pnpm: `patch-remove` could delete project-selected files outside the patches directory"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…